Method and computer system for securing communication in networks

ABSTRACT

The invention relates to a method and a computer system for securing communication in networks of data processing units which can be used especially for individually created security units for portable computer systems. In order to secure the communication, the data exchange between a data processing unit to be protected and the network is monitored and/or controlled by means of a computer program which is implemented in a security computer system as embedded software, the security computer system being inserted between the data processing device to be protected and the network. A computer system providing such protection is embodied as a single board computer or as a chip solution and comprises means for exchanging data with the data processing unit to be protected, means for exchanging data with the network, and means for monitoring and/or controlling the communication between the data processing unit to be protected and the network. To this end, a means for exchanging data with the data processing unit to be protected can be connected to the bus system of the data processing unit to be protected, and/or a means for exchanging data with the network is embodied as a network interface.

[0001] The invention concerns a method and a computer system forsafeguarding communication in networks which can be applied especiallyfor individually installed safety facilities for mobile computersystems, where the safety is effected by the integration of an embeddedhardware and software system into the communication interface of thedata processing facility to be protected.

[0002] Known safety solutions for Firewalls, Virtual Private Networks(VPN) or virus protection solutions are realised in two ways:

[0003] In the first approach, software solutions are installed in theoperating system of the computer to be protected. In this case, therequired programs must be executed by the main processor as based on thesystem itself. Any required secret key data must be available to thesoftware, as subject to principle. For this reason, both the software aswell as the keys are not to be protected against unauthorised access onthe part of the user or from programs (here in particular harmfulsoftware such as viruses or Trojan Horses).

[0004] A mobile user, such as a travelling businessman, is faced withthe problem to the effect that he, under certain circumstances, has toconstantly change the Provider of an Internet access in order to be ableto communicate quickly and economically by way of the Internet. As arule, he does not know if and which safety precautions are madeavailable by the local Provider of the Internet access and he musttherefore provide for his own protection. Up to now, this can only bedone by the mobile user having corresponding software on his mobileequipment which he then has to adapt to the conditions of the individualNetwork Provider as required. The configuration is, as a rule, anassignment which can only be performed by specially trained personneland must be repeated for each new (mobile) piece of equipment.

[0005] The second approach is characterised in that hardware solutionsin form of external computers (in which again special safety software isinstalled) are realised which are either specifically introduced intothe network connection of the computer to be protected or are madeavailable by the Provider of the network connection (and usually alsoadministrated by the Provider).

[0006] However, it is characteristic for both approaches that theconfiguration which is required for effective protection is too much fora non-professional to cope with. Based on the particular complexity of asecure network connection, many users are not capable of performingsecure and reliable configuration on their computers and to set up thestandard system for the safety functions. It is therefore necessary tohave these settings specified by a specially trained administrator. Forsoftware solutions, as applied in the first approach described above,one important aspect among others cannot be ascertained: it should beimpossible for the user to change unintentionally or intentionally thesafety settings as selected by the administrator, and/or it should alsobe impossible for any harmful functions on the client-computer to changesafety settings or to call up secret key data. Solutions which have beenpreviously realised in software have the problem that theirconfiguration is frequently incorrect and that other software running onthe computer to be safeguarded can have unintentional influences. Theoverall system is then in a non-defined and, subsequently, insecurecondition.

[0007] A safety software configurated by a user provides no protectionwhatsoever in the event of faulty configuration. For this reason, itoffers only a deceptive security. Software which should ensure securitymust therefore be configurated by an Administrator who is speciallytrained for assignments in this particular field. These requirementswith software solutions cannot be ascertained. For this reason, the useof an own software/hardware solution is necessary, as already mentionedin the second approach described above.

[0008] With a software/hardware solution made available by the Providerof the network connection, it is not ascertained if the Provider hascarried out the safety settings correctly and in the requested scope. Inaddition there is the possibility that, for example with the connectionof a mobile computer system (laptop, PDA) in an external network, thelocal area of the computer network is protected against outer access bya safety system (Firewall), but no safety precautions are envisagedwithin a closer environment (e.g., within a work group in a companynetwork).

[0009] A further disadvantage of the previously applied solutions is thefact that access authorisations are often person-related. The resulthere is that an actually authorised person in some cases receives noaccess to data from a computer whose safety functions are not speciallyconfigurated for him, even though he would most certainly have accessauthorisation.

[0010] For the reasons stated above, the invention is based on the taskassignment of creating a safety solution which avoids the disadvantagesas already stated, particularly an additional configuration of specialhardware or software on user computers (clients), thus eliminating thedanger of unintentional influence of the safety software by othersoftware installed by the client. In addition, and by means of theinvention, a flexible and client-based protection of computer systems isto be made possible and a solution is to be made available which allowsthat safety-relevant data are stored separately from the client,therefore being protected against access from the direction of theclient.

[0011] This task assignment is solved according to the invention by thefeatures in the designating part of the claims 1 and 19 in theinteraction with the features in the generic term. Purposefulembodiments of the invention are contained in the Subclaims.

[0012] An advantage of the method for safeguarding the communication innetworks with the intermediate arrangement of a safety computer systembetween a data processing facility to be protected and the network liesin the fact that an effective defence against harmful access to orintervention in the data processing facility to be protected is achievedwhere the data exchange between the data processing facility to beprotected and the network is monitored and/or controlled by at least onecomputer program, according to a pre-specified set of rules, implementedas embedded software on the safety computer system.

[0013] A computer system for safeguarding the communication in networks,which realises this protection, is advantageously constructed in such away that the computer system is designed as a single board computer oras a chip solution and encompasses at least one means for data exchangewith a data processing facility to be protected, at least one means fordata exchange with the network and at least one means for monitoringand/or control of the communication between the data processing facilityto be protected and the network. Preferentially envisaged in this caseis that a means for data exchange is connectable with aprotection-requiring data processing facility to the bus-system of theprotection-requiring data processing facility and/or a means is executedfor data exchange with the network as a network interface.

[0014] A further advantage of the method for safeguarding thecommunication in networks of data processing facilities is to be seen inthe fact that the safety computer system is connected with the bussystem of the protection-requiring data processing facility and aconnection between the protection-requiring data processing facility andthe network is established by way of an interface of the safety computersystem.

[0015] A preferred embodiment form of the method according to theinvention envisages that the pre-specified set of rules for themonitoring and/or the control of the data to be exchanged between theprotection-requiring data processing facility and the network coversperson-related rules and/or rules individually pre-specified for theprotection-requiring data processing facility.

[0016] A further advantage is to be seen in the fact that theindividually pre-specified set of rules examines the authorisation foraccess from source systems to the protection-requiring data processingfacility and/or examines the authorisation for access on target systemsfrom the direction of the protection-requiring data processing facilityand/or realises the encryption and the decryption, respectively, of thedata to the exchanged, and/or performs the build-up of a virtual privatenetwork (VPN) and transmits transparently the data to be exchangedthrough the VPN-channel, and/or analyses the contents of the data to beexchanged. The analysis of the data to be exchanged in this case serves,among other things, the purpose of detection of viruses and/or TrojanHorses. The best possible protection is, of course, then obtained if alldata to be exchanged between the protection-requiring data processingfacility and the network run through the safety computer system.

[0017] Moreover, it is seen as an advantage that the build-up of a VPNis effected after successful authentification and not before.

[0018] A further preferred embodiment form of the method according tothe invention envisages that the configuration of the safety computersystem and/or the embedded software is effected to the network by way ofan interface. It is furthermore envisaged that the maintenance and/orcare administration of the safety computer system is effected from theprotection-requiring data processing facility or as remote maintenancevia the network. As required, the maintenance and/or care administrationof the embedded software covers the extension of the functionality ofthe computer program implemented as embedded software.

[0019] The safety computer system and the safety settings, respectively,on this system are advantageously secured in such a way that thecomputer program monitoring and/or controlling the data to be exchangedbetween the protection-requiring data processing facility and thenetwork is not changeable from the side of the protection-requiring dataprocessing facility or is only changeable after authentification.

[0020] A particularly uncomplicated administration then results when thesafety computer system appears transparent for the protection-requiringdata processing facility and/or the network. An additional safety levelcan be achieved in such a way that the safety computer system is nottransparent but rather establishes its own private partial network onthe side of the protection-requiring data processing facility and, fromthe direction of the network, only the safety computer system isvisible.

[0021] It is particularly advantageous with mobile equipment that thesafety computer system as an embedded system is integrated in thecommunication interface of the protection-requiring data processingfacility. This can be done by integrating the safety computer system asan insertion card or as a PCMCIA-card in the protection-requiring dataprocessing facility. In an advantageous manner in the case of mobileequipment, the power supply of the safety computer system is effected byway of the protection-requiring data processing facility. In addition,the deployment of the safety computer system according to the inventionis facilitated in such a way that it is connected in a way as forcommercially available network connection hardware to theprotection-requiring data processing facility.

[0022] The safety of the protection-requiring data processing facilityis particularly increased by the fact that strictly confidential datasuch as electronic keys or electronic signatures only exist on thesafety computer system. An additional increase in safety is achieved bythe fact that strictly confidential data on the safety computer system,from the side of the protection-requiring data processing facility,cannot be changed or can only be called up after entry of a password.

[0023] In dependence on the interfaces of the protection-requiring dataprocessing facility, the safety computer system is advantageouslyexecuted in such a way that it has a means for data exchange with aprotection-requiring data processing facility, which is formed as aPCMCIA-bus or as a PCI-bus or as a USB-bus or as a IEEE 1394-bus(Firewire) or even as an RS-232-interface or as an Ethernet interface oras a USB-interface.

[0024] In a preferred embodiment form of the computer system accordingto the invention, it is additionally envisaged that at least one meansfor data exchange with the network includes a modem and/or a mobiletelephone processor.

[0025] In addition, it is an advantage that at least one means formonitoring and/or control of the communication includes a Firewalland/or an intrusion detection system and/or a public key management.

[0026] In order to obtain the highest possible degree ofminiaturisation, it is envisaged in a preferred embodiment form of thecomputer system according to the invention that the computer system isformed as a system on chip.

[0027] A user-friendly handling is achieved in such a way where thesafety computer system is integrated in a cable or a card or a chip forthe network access, or is formed as an insertion card or as a PCMCIA-card.

[0028] By means of the fact that the safety device belongs to theprotection-requiring data processing facility and takes over its specialprotection, and is at the same time as an embedded system an independentunit not influenced by errors on the side of the client system or hisuser, a best possible protective effect is ensured.

[0029] It is an advantage in that the system appears completelytransparent for the user and, for the simplification of the handling, isconnected with the protection-requiring data processing facility in sucha way that it is integrated into this and can be connected up to thenetwork by the user in such a manner as normal network connectionhardware would be connected.

[0030] Further advantages of the invention in contrast with a puresoftware solution on the client, such as for example a PC or mobileequipment (Notebook, PDA or similar) are that, by means of theinvention, the client is protected against direct access from theInternet because, with a corresponding configuration, he receives noaddress that can be reached from the Internet. The configuration datafor the Internet-/Intranet access are located on the computer systemaccording to the invention and not on the client. Therefore, the datacannot be copied or changed by the user.

[0031] In the invention, there is an embedded hardware and softwaresystem available which the user cannot change and which he does not haveto change at all. The problem of the former software solutions, to theeffect that they are frequently not correctly configurated because ofthe high degree of complexity of the systems and/or due to insufficientcompetency of the Administrator, or that other software can haveunintentional influences, is therefore eliminated by the invention.

[0032] The invention unifies a Mini-Firewall and a VPN in one equipmentunit. The user is not required to do the complex configuration of such asystem. This is done only by the Administrator and a high safety levelis achieved in the process.

[0033] All keys (keys, passwords) as well as person-specific informationare safely stored on the hardware of the embedded hardware and softwaresystem which is independent of the client. Subsequently, thisinformation does not have to be kept on the client. Thisseparation—there are two different operating systems here—also leads tothe situation where the entire safety is elevated to a significantlyhigher level status than if all software were located on one systemalone. This principle of different operating systems is applied inparticular for multi-stage Firewalls for the purpose of achievingeffective protection against attacks.

[0034] The configuration of the embedded hardware and software systemcan be carried out remotely by way of a secure channel. In this case,the Administrator only has to take care of the configuration of onesoftware because the embedded hardware and software system isindependent of the operating system of the (mobile) equipment unit to beprotected.

[0035] Up to now, and for each operating system in use (Unix, MacOS,Windows, . . . ), an Administrator had to know which software isavailable for what purpose of safeguarding (Firewalling/VPN), and healso had to know how this software has to be configurated.

[0036] The invention is to be explained as follows in greater detail byan embodiment, illustrated at least in part in the Figures.

[0037] The Figures show the following:

[0038]FIG. 1: Arrangement of the computer system for a connection of aclient to a communication network;

[0039]FIG. 2: Block diagram of the hardware module of the computersystem;

[0040]FIG. 3: Software components installed on the processor of thecomputer system;

[0041]FIG. 4: Illustration of the client- and the server-side dataflows, respectively

[0042]FIG. 5: Illustration of exemplified interfaces of the computersystem.

[0043]FIG. 6: A principle illustration for a safety solution where thesafety functions were installed in the operating system of the computerto be protected;

[0044]FIG. 7: A principle illustration for a safety solution with theuse of external safety hardware (e.g., Firewall),

[0045]FIG. 8: A principle illustration for a safety solution with theuse of a safety system (hardware and software) located between bussystem and network interface.

[0046] Modern embedded systems (single-board computers) arecharacterised in that they can be minitiaturised to a considerabledegree. A particular compact arrangement are the so-called systems onchip. The dimensions of the computer systems reduce by a further orderof magnitude when the methods are executed as a chip solution in onesingle chip. An exemplified execution of the invention can therefore bethat an embedded hardware and software system 1 is adopted which isexecuted as system on chip or as a chip solution where, because of thesmall structural form (chip size), it can be easily integrated into aPCMCIA-card or a (mobile) telephone equipment unit. In this way, theinvention is also deployable if, for the access to a network, interfacessuch as WLAN (wireless local area network), GPRS (general packet radioservices) or UMTS (universal mobile telecommunications systems) are usedor when a pay-card is to be applied with networking services where feesare demanded. According to the invention and for the purpose ofsafeguarding communication in networks, the safety computer system isinstalled as an embedded hardware and software system 1 between theclient computer 2 and the network 45 (compare FIG. 1). In a preferredembodiment form, the invention is executed in such a way that thephysical size of the embedded hardware and software 1 allows animplementation in a cable or similar. The embedded software isadvantageously configurated in such a way that it provides safetyfunctions which do not influence the connected client (e.g., a mobileequipment item) and the Internet access with regard to their respectivefunctions and, from these, are also not evident from the communicationprotocol. The principle physical construction is shown in FIG. 2. Anexemplary embodiment form of the embedded hardware and software system 1includes, for example, as a hardware module a processor 9, a RAM 10, aFlash ROM 11. It is evidently purposeful that at least the most commoninterfaces for the communication in networks are supported by theembedded hardware and software system 1.

[0047] The client 2 (Notebook, PC etc.) can, for example, be connectedup by way of the following interfaces 4 (refer also to FIG. 5):

[0048] RS-232-interface 13,

[0049] Ethernet-interface 14,

[0050] USB-interface 15.

[0051] This is the most common approach. The embedded hardware andsoftware system 1 can, however,—as shown further down in greaterdetail—also be connected with the client computer 2 by way of the bussystem 43. In this case, various bus systems 43 would have to besupported, such as:

[0052] as PCMACIA-bus or

[0053] as PCI-bus or

[0054] as USB-bus or

[0055] as IEEE 1394-bus (Firewire).

[0056] The embedded hardware and software system 1 should make availableseveral interfaces 5 on the server side for the connection to theInternet 6:

[0057] IRDA-interface 16,

[0058] Bluetooth-interface 17,

[0059] Ethernet-interface 14 (e.g., ADSL),

[0060] RJ 45-interface 19 (for the connection to the telephone networkvia a modem 18).

[0061] In addition, further interfaces can be envisaged, as illustratedin FIG. 5:

[0062] a modem 18,

[0063] a UMTS-interface 36

[0064] a DSL-interface 37

[0065] a GPRS-interface 38 and/or

[0066] a POT-interface 39.

[0067] If required, a power supply 12 can be envisaged.

[0068] These listings are not to be regarded as being final. Interfaceprotocols to be newly developed should be purposefully integrated intothe embedded hardware and software system 1. The hardware solution isdesigned in such a way for minimalisation—also in the sense of theminimality principle of the computer safety—that only the necessaryresources (CPU, memory) are applied which are necessary for theoperation of an embedded operating system. The embedded operating systemand the system programs necessary for the individual functionalitysupport safety tasks in such a way that all safety functions areimplemented to such an extent that no changes on the client 2 or at theInternet access are necessary. A configuration of the safety softwarecan only be performed by the system administrator who has a higherdegree of training in this field than an normal user. The embeddedhardware and software system 1 is then in a position to ensure thesafety of the equipment (client 2), to be protected and located behind,without the user having to or being able to intervene in theconfiguration of the software required for safety purposes. The embeddedhardware and software system 1, when connected to an external network(e.g., the Internet 6), takes over the Firewall functionality requiredfor client 2 and is available at the same time as a server for thecommunication of client 2 by way of a VPN to the internal companynetwork (Intranet 7). By means of the spatial separation of the hardwareand software, as used for working purposes, from the Firewall and VPNsoftware as required for safety purposes and located on a “hardened”operating system, the safety of the computer to be protected (clientcomputer 2) is substantially higher than if all programs were running onone machine. The term “hardened” operating system is understood to meanan operating system which is reduced to the absolutely necessaryfunctionality. Where computer safety is concerned, the principle ofminimality applies: the less software available on one equipment unit,the less the susceptibility to safety-relevant errors in the softwarewhich can make an attack possible. On the other hand, the prevention ofthe configuration by a user, who could detrimentally affect the safetyof essential parts of the equipment to be protected by means of anunintentional faulty configuration, is also only possible with thespatial separation of the components “work” and “safety”.

[0069] Where the method according to the invention is concerned, thecommunication for example between a mobile piece of equipment (client 2)and the Internet 6 is established by means of the embedded hardware andsoftware system 1. The necessary and optionally possible softwarecomponents are shown in FIG. 3. For a basis system in this case, thetransparent router/VPN (e.g., IPSEC) 20, the DHCP 23, the key management25, the Firewall 26 and the remote control 27 are to be regarded asbeing necessary modules. Further modules such as a system monitoring,IDS 22, an automatic update 24 and further optional software modules 28can, of course, be included; they serve the functionality extensionwhich can, for example, be implemented as virus scanners for E-mails.

[0070] There is no direct data flow between the client 2 and theInternet 6 with the use of the invention. Rather, a communicationconnection 8 between the client 2 and the embedded hardware and softwaresystem 1 is established, as well as separately between the embeddedhardware and software system 1 and the Internet 6. The split-uparrangement of the data flows is shown in FIG. 4.

[0071] Essential components of the client-side data flow are, forexample:

[0072] the connection set-up 29 to the client 2,

[0073] the exchange 30 of non-encrypted data and

[0074] the exchange 31 of the IP-addresses.

[0075] Server and/or network-side, the data flow contains for example:

[0076] the connection set-up 32 to server 3,

[0077] the data exchange 33 to the management,

[0078] the data exchange 34 to the configuration of the embeddedhardware and software system 1 and

[0079] the data exchange 35 upon update of the embedded hardware andsoftware system 1.

[0080] The system administrator configurates the embedded hardware andsoftware system 1 and sets here, for example with the use of a VPN, thefollowing parameters:

[0081] X.509 certificate for the embedded hardware and software system 1and Private Key,

[0082] X.509 certificate of the company using the VPN,

[0083] Address of the network behind the VPN Gateway of the company,

[0084] Address of the VPN Gateway of the company.

[0085] If the user uses the embedded hardware and software system 1 forthe communication in a network 45, a connection is established (e.g., bymeans of the DHCP-server 23 of the embedded hardware and software system1) between the mobile equipment (client 2) and the embedded hardware andsoftware system 1. In addition, a connection is established between theembedded hardware and software system 1 and the Internet 6, where theVPN and the Firewall 26 are activated.

[0086] The embedded hardware and software system 1 and a special server3 within a company, which applies the VPN, serve as end-points of theVPN in this case. Either the server 3 is characterised as an Internetaccess for the company or the IP packages are tunnelled (VPN end-points)through the existing Internet access to the server 3 by the embeddedhardware and software system 1. In addition, the server 3 is responsiblefor the configuration of the embedded hardware and software system 1. Ifa client 2 registers at server 3 by way of the embedded hardware andsoftware system 1, the SW-status of the embedded hardware and softwaresystem 1 is checked and renewed as required (automatic update).Furthermore, the server 3 is necessary for the dedicated access controlto the company-internal resources.

[0087] If the VPN, for example, is realised with the IPsec-protocol, theVPN by way of the UDP port 500 processes the key exchange with thepre-configurated VPN Gateway of the company. Following successful keyexchange, IP packages of type 50 (ESP) (these are the encrypted IPpackages) are exchanged between the embedded hardware and softwaresystem 1 and the VPN Gateway. Which IP packages the embedded hardwareand software system 1 must encrypt and channel to the VPN Gateway isrecognised by this by way of the pre-configurated address of the networkbehind the VPN Gateway of the company which is, computer-technically, anentry in the routing table on the virtual IPSec device.

[0088] After this, the VPN-connection is established; a controlled andprotected access to the company Intranet 7 as well as to the Internet 6can take place. The embedded hardware and software system 1,subsequently, can be integrated transparently into the connection routebetween the client 2 and the Internet 6. From the point of view of themobile equipment (client 2) the embedded hardware and software system 1already represents the modem 18 or the LAN connection to the Internet 6.Specific software adaptations on the mobile equipment are not necessary.

[0089] The Firewall 26 protects the client 2 in two ways. It not onlyacts as a package filter, but it also masks the IP-address of the client2. These two functions of the Firewall 26 serve the purpose of makingattacks difficult on client 2.

[0090] The Firewall 26 acts as a package filter in the following manner:the Firewall 26 makes possible an initialisation of connections via TCP,only from the client 2 requiring protection. Initialisations from theother direction, meaning initialisations of connections to the client 2,are admitted only with limitations at the Firewall 26, or generallyrejected, and subsequently prevent an undesirable data exchange.Connections by way of the UDP (User Datagram Protocol) are only admittedvia the ports which are necessary for the communication of the client 2with the Internet 6 and the internal company network (Intranet 7). Alsopackages which use the protocol ICMP (Internet Control Message Protocol)are allowed through the Firewall 26, but only restricted to absolutenecessity.

[0091] On the use of the masking: the IP-address which the Firewall 26receives when dialling-in via a telephone line into the Internet 6 ispresently dynamically given on the part of the internet provider. Thatmeans that the provider gives the dialling-in machine an IP-addresswhich can change from dial-in to dial-in. A fixed IP-address, which doesnot change from dial-in to dial-in, is only obtainable from someproviders. When using the embedded hardware and software system 1, thatparticular IP-address appears to the outside which has been allocated tothe Firewall 26 by the provider. The IP-address of the client 2 remainsundisclosed to the outside. By means of the fact that the IP-address ofthe client 2 does not appear to the outside, attacks are alsosubstantially more difficult to carry out because knowledge of theIP-address of the computer is necessary for any targeted attack on it.

[0092] As follows, the invention is described on the basis of a furtherembodiment form. In this embodiment form, the protective function isalso achieved in that an additional computer system is installed whichis also advantageously realised as an embedded system or, alternatively,as a one-chip solution. A particular user-friendliness is achieved wherethe embedded system in built into the client system 2 in such a way thatit appears transparent for the client system 2, therefore for the userin operating there is no difference compared with a normal networkconnection.

[0093] By contrast with the interconnection of the equipment normallycarried out, in this embodiment example the safety system is installedas an embedded hardware and software system 1 between the bus system 43and the network interface 44 a (compare FIG. 8), where the networkinterface 44 a is now operated from the embedded hardware and softwaresystem 1.

[0094] As follows, the difference to the previous embodiment example andthe conventional approach is to be clarified in greater detail.

[0095] Conventional Structure

[0096]40 User application

[0097]41 Operating system

[0098]42 Hardware-specific driver (e.g. for the network interface)

[0099]43 Bus system

[0100]44 Network interface hardware

[0101]45 Network (e.g., Internet 6 or Intranet 7)

[0102] New Structure

[0103]40 User application

[0104]41 Operating system

[0105]42 a Hardware-specific driver, tuned to the embedded systemaccording to the invention

[0106]43 Bus system

[0107]1 Embedded hardware and software system

[0108]44 a Network interface hardware

[0109]45 Network

[0110] With the use of the conventional structure, the operating system41 uses a hardware-specific driver 42 which is specifically tuned to thenetwork interface hardware 44. Here, the hardware-specific driver 42must map the requirements of the operating system 41 onto the individualhardware 44. The programming interface between the operating system 41and the hardware-specific driver 42 is, however, dependent on theoperating system, but it is standardised for the individual operatingsystem 41 in each case. With this, the chain “hardware-specific driver42—bus system 43—network interface hardware 44” appears the same in eachcase for the operating system 41, independent of the selectedcomponents. With this conventionally applied structure, the safetyfunctions (software) 46 installed in the operating system 41 of theprotection-requiring computer (client computer 2) are before this chain“hardware-specific driver 42—bus system 43—network interface hardware44” (compare FIG. 6). As an alternative to this, the application ofexternal safety hardware 47, such as the use of Firewalls, is known. Inthis case, the safety system is arranged behind this chain (compare FIG.7).

[0111] With the deployment of the invention, an embedded hardware andsoftware system 1 is now installed between the bus system 43 and thenetwork interface 44 a (compare FIG. 8), where the network interface 44a is now operated from the embedded hardware and software system 1. Thedriver 42 a is realised here in such a way that it is suitable for theinterface of the embedded hardware and software system 1. Subsequently,the installed embedded hardware and software system 1 appears fullytransparent for the operating system 41. The operating system 41 and theuser applications 40 (and all other harmful programs such as viruses andTrojan Horses) cannot therefore disturb the protection functions of theembedded hardware and software system 1. Settings for the protectioncannot be changed. Secret information such as electronic keys exist onlyon the embedded hardware and software system 1 and cannot be called upor changed from client computer 2.

[0112] If the embedded hardware and software system 1 is installed inthe described manner between client computer 2 and network 45, all datapackages that leave or enter the client computer 2 run through theembedded hardware and software system 1 and can be inspected accordingto the set of rules on the embedded hardware and software system 1.

[0113] In this case, it can be ascertained by the examination of thepassage flow direction of the data package as well as of the sender andreceiver addresses that:

[0114] no data packages of an incoming connection are allowed throughand/or only such connections can be set-up that are allowed in the setof rules, so that the client computer 2 is protected against attacksfrom the network 45;

[0115] only the data packages of an outgoing data connection are allowedthrough, whose set-up is allowed in the set of rules.

[0116] Furthermore, those particular packages from the sender and targetaddresses can be detected whose target can be attained by way of anoptional VPN. In this case, these packages can be transmittedtransparently through the VPN-channel. It is, however, recommended hereto carry out the set-up of the VPN after authorisation by the user(e.g., with a password) in order to avoid an unauthorised dial-in intothe VPN—in a case where the safety computer system is lost.

[0117] Furthermore, the exemplary safety computer system is to bedesigned as an embedded system in such a way that, in the normaloperation case, no configuration can be exchanged by way of theinterface bus system 43—embedded hardware and software system 1 exceptfor the data which is technically required for the operation of thenetwork interface hardware 44 a. This safety feature is ascertained bythe embedded hardware and software system 1 because the characteristicsof the user programs 40, the operating system 41 and a driver 42 and/or42 a by the user or by means of harmful programs can be modified.

[0118] For setting the safety characteristics and further configurationof the embedded hardware and software system 1, a special configurationinterface is therefore required where the administrator mustauthenticate himself opposite the embedded hardware and software system1 (such as with a password or with the help of an electronic key, e.g.according to x.509 standard). For this purpose, the interface 4 from theside of the client computer 2 could be used by way of the chain“operating system 41 hardware specific driver 42 a—bus system43—embedded hardware and software system 1 tuned to the embedded systemaccording to the invention” as also a remote maintenance by way of thechain “network 45—network interface hardware 44 a—embedded hardware andsoftware system 1.

[0119] With the arrangement, in this execution form, of the embeddedhardware and software system 1 between the operating system 41 of theclient computer 2 and the network 45, for safeguarding a client computer2, the normally used network interface hardware 44 is replaced.

[0120] For this reason, the best possible protection effect for theclient computer 2 is ensured in that the embedded hardware and softwaresystem 1 belongs to the client computer 2 to be protected and takes overits special protection, however at the same time representing as anembedded system an independent unit not influenced by errors on the partof the client computer 2 or his user.

[0121] Here, the embedded hardware and software system 1 should be fullytransparent for the user and, in the sense of a particularly lowexpenditure, be connected with the client computer 2 in such a way thatit is integrated in this as bet possible, or that it can be connected upby the user as a normal network hardware would be connected up. With amobile computer as client computer 2, it is additionally particularlyadvantageous that the embedded hardware and software system 1 draws itspower supply from client computer 2, where this feature would also beadvantageous with a stationary client computer 2.

[0122] Depending on the client computer 2, various bus systems 43 areselectable. With a laptop, it could be the CardBus/PCMCIA-bus. It couldjust as well also be a PCI-bus, USB-bus, IEEE 1394-bus (Firewire) oranother bus system 43 by way of which the operating system 41 isconnected with the network 45. Network 45 describes a general connectionof two or several computers, for example a connection to the Internet 6by way of Ethernet hardware, by way of a wireless connection (wirelessLAN) or another technical mode for network connections. The inventioncan be applied to all other network connections such asUSB-USB-networks.

[0123] If the embedded hardware and software system 1 is integrated forexample on a PCMCIA-card, and with corresponding person-relatedconfiguration of the rules and/or safety functions, this card can beissued as an authorisation card, with which the owner of variouscomputers can use his specific rights.

[0124] With a corresponding configuration of the computer system andsuch authorisation cards, such an approach in large companies, forexample, could simplify the safety precautions and increase theprotection against unauthorised access to data.

[0125] The invention is not limited to the embodiment examples statedhere. Moreover, it is possible to realise further embodiment variants bymeans of combination and modification of the means stated herein,without departing from the framework of the invention.

Reference Parts List

[0126]1. Embedded hardware and software system

[0127]2. Client

[0128]3. Server

[0129]4. Client interface

[0130]5. Server interface

[0131]6. Internet

[0132]7. Intranet

[0133]8. Communication between the client and the embedded hardware andsoftware system

[0134]9. Processor

[0135]10. RAM

[0136]11. Flash ROM

[0137]12. Power supply

[0138]13. RS 232 interface (serial interface)

[0139]14. Ethernet interface

[0140]15. USB-interface

[0141]16. IRDA-interface

[0142]17. Bluetooth interface

[0143]18. Modem/ISDN module

[0144]19. RJ-45-interface

[0145]20. Transparent router/VPN (IPSEC)

[0146]21. System monitoring

[0147]22. IDS

[0148]23. DHCP

[0149]24. Automatic update

[0150]25. Key Management

[0151]26. Firewall

[0152]27. Remote control

[0153]28. Further optional software modules (such as virus scanners)

[0154]29. Connection set-up to client

[0155]30. Exchange of non-encrypted data

[0156]31. Exchange of the IP-addresses

[0157]32. Connection set-up to the server

[0158]33. Data exchange to the management

[0159]34. Data exchange to the configuration of the embedded hardwareand software system

[0160]35. Data exchange during update of the embedded hardware andsoftware system

[0161]36. UMTS-interface

[0162]37. DSL-interface

[0163]38. GPRS-interface

[0164]39. POT-interface

[0165]40. User application

[0166]41. Operating system

[0167]42. Hardware-specific driver (e.g. for the network interface)

[0168]42 a. Hardware-specific driver, tuned to the embedded systemaccording to the invention

[0169]43. Bus system

[0170]44. Network interface hardware

[0171]44 a. Network interface hardware

[0172]45. Network

[0173]46. Installed safety functions (software) installed in theoperating system of the computer to be protected.

[0174]47. External safety hardware

1. Method for safeguarding the communication in networks with theintermediate arrangement of a safety computer system between aprotection-requiring data processing facility and the network, whereinthe data exchange between the protection-requiring data processingfacility and the network is monitored and/or controlled by at least onecomputer program implemented as embedded software on the safety computersystem in accordance with a pre-specifiable set of rules.
 2. Methodaccording to claim 1, wherein the safety computer system is connectedwith the bus system of the protection-requiring data processingfacility, and a connection between the protection-requiring dataprocessing facility and the network is established by way of aninterface of the safety computer system.
 3. Method according to one ofthe claims 1 or 2, wherein the pre-specified set of rules for themonitoring and/or control of the data to be exchanged between theprotection-requiring data processing facility and the network isperson-related and/or covers the individually pre-specified rules on theprotection-requiring data processing facility.
 4. Method according toclaim 3, wherein the individually pre-specified set of rules examinesthe authorisation for access from source systems to theprotection-requiring data processing facility and/or examines theauthorisation for access to target systems from the direction of theprotection-requiring data processing facility and/or realises theencryption and/or the decryption of the data to be exchanged and/orperforms the set-up of a virtual private network (VPN) and transmits thedata to be exchanged transparently through the VPN-channel and/oranalyses the contents of the data to be exchanged.
 5. Method accordingto claim 4, wherein the set-up of a VPN is effected after successfulauthentification.
 6. Method according to claim 4 wherein the analysis ofthe contents of the data to be exchanged serves the detection of virusesand/or Trojan Horses.
 7. Method according to one of the previous claims,wherein the configuration of the safety computer system and/or theembedded software is effected by way of an interface to the network. 8.Method according to one of the previous claims, wherein the maintenanceand/or care administration of the safety computer system is effectedfrom the direction of the protection-requiring data processing facilityor as a remote maintenance via the network.
 9. Method according to oneof the previous claims, wherein the maintenance and/or careadministration of the embedded software includes the extension of thefunctionality of the computer program implemented as embedded software.10. Method according to one of the previous claims, wherein the computerprogram monitoring and/or controlling the data to be exchanged betweenthe protection-requiring data processing facility and the network is notchangeable or is only changeable after authentification from the side ofthe protection-requiring data processing facility.
 11. Method accordingto one of the previous claims, wherein the safety computer system forthe protection-requiring data processing facility and/or for the networkappears transparent.
 12. Method according to one of the previous claims,wherein the safety computer system is integrated as an embedded systemin the communication interface of the protection-requiring dataprocessing facility.
 13. Method according to one of the previous claims,wherein the safety computer system is integrated as an insertion card oras a PCMCIA-card in the protection-requiring data processing facility.14. Method according to one of the previous claims, wherein the safetycomputer system is connected up to the protection-requiring dataprocessing facility as in the case of conventional network connectionhardware.
 15. Method according to one of the previous claims, whereinthe power supply of the safety computer system is effected by way of theprotection-requiring data processing facility.
 16. Method according toone of the previous claims, wherein data to be kept secret, such aselectronic keys or electronic signatures, are only one the safetycomputer system.
 17. Method according to one of the previous claims,wherein secret data on the safety computer system, from the side of theprotection-requiring data processing facility, cannot be changed orcalled up or can only be changed or called up after entry of a password.18. Method according to one of the previous claims, wherein all data tobe exchanged between the protection-requiring data processing facilityand the network run through the safety computer system.
 19. Computersystem for safeguarding the communication in networks, wherein thecomputer system is executed as a single board computer or as a chipsolution and encompasses at least one means for data exchange with adata processing facility to be protected, at least one means for dataexchange with the network and at least one means for monitoring and/orcontrol of the communication between the data processing facility to beprotected and the network.
 20. Computer system according to claim 19,wherein a means for data exchange is connectable with aprotection-requiring data processing facility to the bus-system of theprotection-requiring data processing facility and/or a means is formedfor data exchange with the network as a network interface.
 21. Computersystem according to one of the claims 19 or 20, wherein a means for dataexchange with a protection-requiring data processing facility is formedas a PCMCIA-bus or as a PCI-bus or as a USB-bus or as a IEEE 1394-bus(Firewire).
 22. Computer system according to claim 19, wherein a meansfor data exchange with a protection-requiring data processing facilityis formed as an RS-232 interface or as an Ethernet interface or as anUSB-interface.
 23. Computer system according to one of the claims 19 to22, wherein at least one means for data exchange with the networkincludes a modem and/or a mobile telephone processor.
 24. Computersystem according to one of the claims 19 to 23, wherein at least onemeans for monitoring and/or control of the communication includes atransparent router/VPN (IPSEC) (20) and/or a DHCP (23) and or a Keymanagement (25) a Firewall (26) and/or a remote control (27). 25.Computer system according to one of the claims 19 to 24, wherein atleast one means for monitoring and/or control of the communicationincludes as a module a system monitoring (21) and/or an IDS (22) and/oran automatic update (24) and/or a virus scanner and/or an intrusiondetection system and/or a Public Key Management.
 26. Computer systemaccording to one of the claims 19 to 25, wherein the computer system isexecuted as a system on chip.
 27. Computer system according to one ofthe claims 19 to 26, wherein the computer system is integrated in acable or a card or a chip for the network access.
 28. Computer systemaccording to one of the claims 19 to 27, wherein the computer system isexecuted as an insertion card or as a PCMCIA-card.
 29. Computer systemaccording to one of the claims 19 to 28, wherein theprotection-requiring data processing facility is executed as a personalcomputer or as a laptop or as a network-compatible palmtop or as anetwork-compatible telephone.